Courion Corporation

How Access Insight Works – A Visual Tour

Today we announced how HCR ManorCare is using Courion Access Insight™ software to identify, quantify and manage potential risk of improper access to its systems and resources across 500 health care facilities in 32 states.

In this post, we’ll show you exactly how Access Insight works in any application environment, whether automated or not.

Access Insight analyzes risk associated with user access on a continuous basis, alerting customers to needle-in-the-haystack risks so busy security teams can prioritize remedial action. It portrays risks in graphical profiles – i.e., heat maps. Users can instantly drill down into the billions of data points behind those maps to focus on lines of business, specific data sets such as PHI (Personal Healthcare Information), or specific compliance areas such as PCI (Payment Card Industry) data security compliance. From there, they can weigh the risks to vital assets such as intellectual property and customer information and settle them instantly.

You spot it, investigate it and settle it.

Screenshots (below) from another customer implementation will help us tell the story. Let’s go!

Where’s my risk?

So you’re a CIO or CISO, and you wonder, “Where is my company most at risk for information loss? How much? What type? What can we do about it?”

You log into the Access Insight portal:

The screenshot on the left depicts risk by line of business. The one on the right is risk by a single application you’ve chosen.

Risk is a product of the impact of a potential breach and its likelihood. Impact grades are assigned for each application depending on factors such as the amount of customer information and potential financial loss associated with them. Likelihood is derived by considering the number, size and seriousness of threat vectors, e.g., the number of people with access, their access level, their activity, etc.

Whoa! One application bubble is drifting deeply into the critical area (upper right corner of the first heat map). You click on the bubble and learn what’s driving that risk:

How big is my problem?

You see that orphan accounts and a variety of access issues are the problem. That’s good intelligence, but you need more. You specifically want to know, “How big is my unnecessary access risk problem?”

You click on the Unnecessary Access link and get a lot more information:

The upper left window, “Access Rights in Excess of Role,” compares the entitlements people have versus what they should have based on the way you’ve defined their roles. In this window, you see the top 20 employees ranked by the number of rights they have beyond the number assigned for their role. You can further slice and dice this by line of business, location or application.

Note: this is far more informative than a chart of who has the most rights in an organization. This is about who has more access rights than they should. If you see a building maintenance person at the top of the list, that might be reason for concern, even if his or her total number of rights is far lower than an HR executive.

The upper right window, “Abandoned Accounts – Days Unused,” depicts accounts that have gone unused more than 500 days. The longest bar isn’t necessarily the riskiest; it just represents the longest duration. The bars are color coded to reflect a greater or lesser number of access rights (red is bad). You can mouse over any bar for more information.

The bottom window, “Excessive Rights when Compared to Peers,” is for companies that have not yet defined roles with designated sets of access rights. Access Insight calculates virtual roles by departments for you. The chart depicts who has access rights that outstrip their peers in their departments. That’s good information for you to know, and without Access Insight, you’d be hard-pressed to discover it. With Access Insight, it takes no effort. This functionality is embedded the day you turn it on.

Settle the risk

Okay, Mr. or Ms. CIO, you’ve identified risks and drilled down into exactly what’s driving them. Now it’s time to settle your risk. Have you noticed this icon on the previous screens?

Click on the green cross badge in the “Abandoned Accounts - Days Unused” window above, and you get this remediation dashboard:

Here in the table you see the five “offending” accounts, the relevant systems and all the information you might need to take corrective action. As you can see, this dashboard is revealed by selecting “Correct Access” on the dropdown menu to the left. To disable the accounts, simply click the “Settle Risk” button. You could have clicked “Review Access” to initiate a real-time re-certification cycle in our ComplianceCourier™ software. If you did that, the application owner could settle the risk right then and there, rather than waiting six to 12 months for the next scheduled cycle. This is real-time certification and compliance, something many organizations need today.

All of the dropdown options launch a business process. Actions like these are fully automated if you’re using the Courion Access Risk Management Suite or one of the IdM, ticketing or other systems we integrate with. You can alternatively enable the email function to send an automated message to the security team. With the “Correct Controls” option, you can adjust access parameters. For example, you might force accounts to be disabled after 90 days, or passwords to be reset every 60.

Adding on to Access Insight

Access Insight is easily extensible. One of our clients, for example, wanted to integrate access risk data and time data, making it easy for them to investigate this question: “How can we find out whether employees and contractors are improperly accessing files outside their clocked hours?”

That’s easy enough. You simply snap in timecard information to the data already being tracked you can see what files are being accessed and when. Based on the information being accessed and the time, say someone accessed intellectual property data at 3 a.m., that might raise a red flag. The top left window, “Risk of Abnormal Activity for Fileshares,” tells the story. Again, it rates risks by impact and likelihood of a breach, with bubble size reflecting the amount of activity on the file set. The upper right window, “Abnormal Activity by User,” shows which users are conducting how much after-hours activity. In addition to analyzing this activity by user, you could slice and dice it by division, business unit, department or file share.

Or you could look at the abnormal activity pattern over time:

This chart displays the historical view for the past five months. Each bar represents the amount of activity, and the color represents the risk. Hmm, looks like we need to chat with Ravi M. about the week of Jan. 15th, when he was supposed to be skiing in Vail!

So we’ve walked through the process of identifying risk, understanding the risk drivers and settling the risk. All of this intelligence is found in the dangerous gap between the provisioning of access rights and the time you certify they’re good – the IAM (identity and access management) gap.